Base SSL-opts are incompatible with TLS v1.3

[DerTim1]

In

hackney/src/hackney_ssl.erl

Line 140 in eca5fbb

{secure_renegotiate, true},

two BaseOpts

{secure_renegotiate, true},
{reuse_sessions, true}

will be set. These options are incompatible with {versions, [tlsv1.3]} (see e.g. https://www.erlang.org/doc/apps/ssl/ssl.html#t:common_option_pre_tls13/0). Setting them to false won't help either.

See this example:

iex(1)> ssl_options = [
...(1)>     versions: [:"tlsv1.3"],
...(1)>     cacertfile: "/etc/ssl/certs/ca-certificates.crt",
...(1)>     verify: :verify_peer
...(1)>   ]
[
  versions: [:"tlsv1.3"],
  cacertfile: "/etc/ssl/certs/ca-certificates.crt",
  verify: :verify_peer
]
iex(2)> :hackney_ssl.connect('s3.eu-central-1.amazonaws.com', 443, ssl_options)
{:error,
 {:options, :incompatible, [:secure_renegotiate, {:versions, [:"tlsv1.3"]}]}}

When removing {secure_renegotiate, true} & {reuse_sessions, true} in hackney_ssl.erl, it will work:

iex(2)> :hackney_ssl.connect('s3.eu-central-1.amazonaws.com', 443, ssl_options)
{:ok,
 {:sslsocket, {:gen_tcp, #Port<0.37>, :tls_connection, :undefined},
  [#PID<0.1344.0>, #PID<0.1343.0>]}}

Can the options be removed? Alternative a condition need to be added on the value of versions and only add them, if it doesn't contain tlsv1.3.